当前位置:网站首页>API supplement of JDBC

API supplement of JDBC

2022-07-25 10:54:00 Hua Weiyun

  Four 、ResultSet

ResultSet( Result set object ) effect :

1. Encapsulates the DQL The result of the query statement

ResultSet  stmt.executeQuery(sql): perform DQL sentence , return ResultSet object

Get query results

boolean   next():(1) Move the cursor forward one line from the current position (2) Judge whether the current line is a valid line

    Return value : The current row has data returned true, There is currently no data returned false.

xxx     getXxx( Parameters ): get data

    explain :xxx Represents the data type ; Such as int  getInt( Parameters );String getString( Parameters );

    Parameters : about int Is the number of the column , from 1 Start , about String Is the name of the column .

Use steps :

1、 Move the cursor down one line , And judge whether the line has data :next()

2、 get data :getXxx( Parameters )

Example :

while(rs.next()){    rs.getXxx( Parameters );}

example :

package com.jdbc;import com.mysql.jdbc.Connection;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.Statement;public class JDBCDemo3_ResultSet {    public static void main(String[] args) throws Exception {        //1、 Registration drive         Class.forName("com.mysql.jdbc.Driver");       //2、 Get the connection          //url The format is :"jdbc:mysql://mysql Of ip: Port number / Operational database "        String url="jdbc:mysql://127.0.0.1:3306/kc_db01";        //username Is your mysql user name         String username="root";        //password Is your mysql password         String password="123456";        Connection conn= (Connection) DriverManager.getConnection(url, username, password);        //3、 Definition sql        String sql="select *from emp";        //4、 Access to perform sql Of Statement object         Statement stmt=conn.createStatement();        //5、 perform sql sentence         ResultSet rs=stmt.executeQuery(sql);        //6 Processing results       while(rs.next()){          // get data  getXxx(); You can write the line in parentheses , You can also write column names           int id=rs.getInt(1);          String ename=rs.getString(2);          int salary=rs.getInt(3);          // Another way of writing : Write the name of the line //          int id=rs.getInt("id");//          String ename=rs.getString("ename");//          int salary=rs.getInt("salary");          System.out.println(id);          System.out.println(ename);          System.out.println(salary);          System.out.println("-----------");      }        //7、 Release resources ( Open first and then release )        rs.close();        stmt.close();        conn.close();    }}

In the database emp surface

edit

  After running :

edit


 ResultSet Case study

demand : Inquire about account Account data , Encapsulated in the Account In the object , And store it in ArrayList Collection

edit

  Create a pojo package , Used to store objects .

edit

  Created a class , Provide getSet Method 

package com.pojo;public class Account {    private int id;    private String ename;    private int salary;    public int getId() {        return id;    }    public void setId(int id) {        this.id = id;    }    public String getEname() {        return ename;    }    public void setEname(String ename) {        this.ename = ename;    }    public int getSalary() {        return salary;    }    public void setSalary(int salary) {        this.salary = salary;    }    // In order to better show , rewrite toString() Method     @Override    public String toString() {        return "Account{" +                "id=" + id +                ", ename='" + ename + '\'' +                ", salary=" + salary +                '}'+"\n";    }}

jdbc In the class created under the package 

package com.jdbc;import com.mysql.jdbc.Connection;import com.pojo.Account;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.Statement;import java.util.ArrayList;import java.util.List;public class JDBCDemo4_ResultSet {    public static void main(String[] args) throws Exception {        //1、 Registration drive         Class.forName("com.mysql.jdbc.Driver");       //2、 Get the connection          //url The format is :"jdbc:mysql://mysql Of ip: Port number / Operational database "        String url="jdbc:mysql://127.0.0.1:3306/kc_db01";        //username Is your mysql user name         String username="root";        //password Is your mysql password         String password="123456";        Connection conn= (Connection) DriverManager.getConnection(url, username, password);        //3、 Definition sql        String sql="select *from emp";        //4、 Access to perform sql Of Statement object         Statement stmt=conn.createStatement();        //5、 perform sql sentence         ResultSet rs=stmt.executeQuery(sql);        //6 Processing results         // Create a collection object         List<Account> list=new ArrayList<>();      while(rs.next()){          // establish Account object           Account account=new Account();          // get data  getXxx(); You can write the line in parentheses , You can also write column names           int id=rs.getInt(1);          String ename=rs.getString(2);          int salary=rs.getInt(3);          // Assignment data           account.setId(id);          account.setEname(ename);          account.setSalary(salary);          list.add(account);      }        System.out.println(list);        //7、 Release resources ( Open first and then release )        rs.close();        stmt.close();        conn.close();    }}

Running results :

edit

5、 ... and 、PreparedStatement

PreparedStatement effect :

1、 precompile SQL Statement and execute : The prevention of SQL Injection problem

SQL Inject

SQL Injection is to modify pre-defined by operating input SQL sentence , The method used to execute code to attack the server .

Demonstrate normal login :

First, data record kc_db1 Under the emp The table is :

edit 



package com.jdbc;import com.mysql.jdbc.Connection;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.Statement;public class JDBCDemo5_UserLogin {    public static void main(String[] args) throws Exception {       //2、 Get the connection          //url The format is :"jdbc:mysql://mysql Of ip: Port number / Operational database "        String url="jdbc:mysql://127.0.0.1:3306/kc_db01";        //username Is your mysql user name         String username="root";        //password Is your mysql password         String password="123456";        Connection conn= (Connection) DriverManager.getConnection(url, username, password);           String name="zhangsan";           String pwd="1233";        //3、 Definition sql        String sql="select *from emp where ename='"+name+"'and password='"+pwd+"'" ;        System.out.println(" This article SQL The sentence is :"+sql);        //4、 Access to perform sql Of Statement object         Statement stat=conn.createStatement();        //5、 perform sql sentence         ResultSet rs = stat.executeQuery(sql);        //6 Processing results ,rs A value indicates that the search is successful       if(rs.next()){          System.out.println(" Login successful ");      }else{          System.out.println(" Login failed ");      }        //7、 Release resources ( Open first and then release )        rs.close();        stat.close();        conn.close();    }}

Running results :

edit

  Enter other ( The reason for the failure is that there is no account with this password in the database ):

edit

 sql Inject Demo :

For this article sql It's not about passwords , Any account number 

 String name=" A casual name "; String pwd=" ' or '1'='1";

Running results : edit

This article SQL The sentence is :select *from emp where ename=' A casual name 'and password=' ' or  '1'='1'

 sql The essence of injection is to change the original SQL sentence , Join in or after 1=1 Always true , So this sentence is true

 PreparedStatement solve SQL Inject

① obtain PreparedStatement object 

//sql Parameters in statement , Use ? Instead of String sql="select *from user where username=? and password=?";// adopt Connection Object acquisition , And pass in the corresponding sql sentence PreparedStatement  pstmt=conn.prepareStatement(sql);

② Set parameters

PreparedStatement object :setXxx( Parameters 1, Parameters 2): Expressed as a parameter 1(? The location of ) Assign value to parameter 2

Xxx: data type ; arbitrarily setInt( Parameters 1, Parameters 2)

Parameters

  •     Parameters 1: Express ? Location number of , from 1 Start
  •     Parameters 2: ? Value

③ perform sql

executeUpdate();/excuteQuery(); There is no need to pass... In parentheses sql.

Create a class :

package com.jdbc;import com.mysql.jdbc.Connection;import java.sql.DriverManager;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.Statement;import java.util.Scanner;public class JDBCDemo5_UserLogin {    public static void main(String[] args) throws Exception {       //2、 Get the connection          //url The format is :"jdbc:mysql://mysql Of ip: Port number / Operational database "        String url="jdbc:mysql://127.0.0.1:3306/kc_db01";        //username Is your mysql user name         String username="root";        //password Is your mysql password         String password="123456";        Connection conn= (Connection) DriverManager.getConnection(url, username, password);           String name=" A casual name ";           String pwd=" ' or '1'='1";        //3、 Definition sql        String sql="select *from emp where ename=? and password=?" ;        //4、 Acquired PreparedStatement object         PreparedStatement pstmt = conn.prepareStatement(sql);        // Set parameters         pstmt.setString(1, name);        pstmt.setString(2, pwd);        //5、 perform sql sentence         ResultSet rs =pstmt.executeQuery();        System.out.println(" This article SQL The sentence is :"+sql);        //6 Processing results ,rs A value indicates that the search is successful       if(rs.next()){          System.out.println(" Login successful ");      }else{          System.out.println(" Login failed ");      }        //7、 Release resources ( Open first and then release )        rs.close();       pstmt.close();        conn.close();    }}

  Running results :

edit

  This prevents sql Inject ,setXxx The parameters passed in will be escaped , Not spliced into strings, but \' or\ ' 1\' = \' 1\'

  Enter the correct :

edit

 PrepareStatement principle

PrepareStatement benefits :

1、 precompile SQL, Higher performance

2、 prevent sql Inject .

my.ini The configuration file can see the log 

log-output=FILE general-log=1general_log_file="D:\mysql.log" slow-query-log=1slow_query_log_file="D:\mysql_slow.log" long_query_time=2

The precompile function is off by default

①:PreparedStatement Precompile function Turn on :userServerPrepStmts=true

  stay sql sentence ? Then write the parameters 

        String url="jdbc:mysql://127.0.0.1:3306/kc_db01"?userServerPrepStmts=true;

When you open it, you will prepare precompile : 

edit

  After closing, there is no Prepare Stage

edit


原网站

版权声明
本文为[Hua Weiyun]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/206/202207251005548397.html

边栏推荐

猜你喜欢

随机推荐